const caldotcom = client.defineHttpEndpoint({
  id: "cal.com",
  source: "cal.com",
  icon: "caldotcom",
  verify: async (request) => {
    //this is a useful helper function that can verify sha256 signatures
    //each API has a different header name
    return await verifyRequestSignature({
      request,
      //you can find the header name in the API's documentation
      headerName: "X-Cal-Signature-256",
      //you can find the secret in the Trigger.dev dashboard, on the HTTP endpoint page
      secret: process.env.CALDOTCOM_SECRET!,
      algorithm: "sha256",
    });
  },
});

These are the docs for Trigger.dev v2 which will be deprecated on January 31st, 2025. You probably want the v3 docs.

Most webhooks come with a signature in the request header. This signature is used to verify that the request is coming from the expected source. To verify you typically need to take the body of the payload, hash it and compare it with the signature in the header. You use a secret when you hash the payload to make sure that the payload hasn’t been tampered with.

When using HttpEndpoint you are required to verify the payload. verifyRequestSignature() is a helper function that makes this easy for the majority of webhooks.

const caldotcom = client.defineHttpEndpoint({
  id: "cal.com",
  source: "cal.com",
  icon: "caldotcom",
  verify: async (request) => {
    //this is a useful helper function that can verify sha256 signatures
    //each API has a different header name
    return await verifyRequestSignature({
      request,
      //you can find the header name in the API's documentation
      headerName: "X-Cal-Signature-256",
      //you can find the secret in the Trigger.dev dashboard, on the HTTP endpoint page
      secret: process.env.CALDOTCOM_SECRET!,
      algorithm: "sha256",
    });
  },
});

Parameters

options
required

Returns

VerifyResult
required